-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/54698/
-----------------------------------------------------------
(Updated Dec. 14, 2016, 1:30 p.m.)
Review request for Ambari, Attila Doroszlai, Jaimin Jetly, Laszlo Puskas,
Oliver Szabo, Robert Levas, and Sebastian Toader.
Bugs: AMBARI-19187
https://issues.apache.org/jira/browse/AMBARI-19187
Repository: ambari
Description
-------
Hadoop components need to establish a secure connection with ZooKeeper when
Kerberos is enabled. This involves the setup of the correct authentication
(JAAS config file) and authorization (per-component Kerberos-backed ACLs on the
znodes) between the service and ZooKeeper. Most services are able to set these
ACLs based on their config when the user enable kerberos.
When we disable kerberos again, the sasl ACL should be removed otherwise the
services won't be able to access their znodes.
This issue is about introducing a new command (DISABLE_SECURITY) that will be
sent by the ambari server to the services upon the dekerberiztion process. When
a service receives this command it will be able to do the zookeeper secure to
unsecure migration process (e.g. removing sasl ACLs).
Notable changes:
- Added a java command line tool to the agent project that can setAcls
recursively on a znode
- Modified the dekerberization workflow:
- 1. UI stops all services but zookeeper
- 2. 2 new stages was introduced in the backend (send DISABLE_SECURITY command
to the services, start zookeeper)
Diffs (updated)
-----
ambari-agent/pom.xml a8ed7f1
ambari-agent/src/main/java/org/apache/ambari/tools/zk/ZkAcl.java PRE-CREATION
ambari-agent/src/main/java/org/apache/ambari/tools/zk/ZkConnection.java
PRE-CREATION
ambari-agent/src/main/java/org/apache/ambari/tools/zk/ZkMigrator.java
PRE-CREATION
ambari-agent/src/test/java/org/apache/ambari/tools/zk/ZkMigratorTest.java
PRE-CREATION
ambari-common/src/main/python/resource_management/core/resources/zkmigrator.py
PRE-CREATION
ambari-common/src/main/python/resource_management/libraries/script/script.py
584775e
ambari-server/pom.xml 48ddb52
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
3261a56
ambari-server/src/main/java/org/apache/ambari/server/metadata/ActionMetadata.java
0064662
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
90f8098
ambari-web/app/controllers/main/admin/kerberos/disable_controller.js cec4503
Diff: https://reviews.apache.org/r/54698/diff/
Testing
-------
Added unittests for ZkMigrator, KerberosHelperImpl
Manual testings:
- created cluster with ambari
- enabled kerberos
- disabled kerberos
- checked if the DISABLE_SECURITY command was sent to the services
Ambari agent:
----------------------------------------------------------------------
Ran 450 tests in 10.634s
Ambari server:
----------------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 34:44.448s
[INFO] Finished at: Tue Dec 13 14:29:00 CET 2016
[INFO] Final Memory: 160M/798M
Thanks,
Attila Magyar
